Embedded Files
Layer 2 Tunneling Protocol L2TP
L2TP extends the PPP model by allowing the L2 termination point (Network Access Server or LAC L2TP Access Concentrator) and PPP endpoint (LNS L2TP Network Server) to reside on different devices interconnected by an IP network. L2TP uses UDP port 1701.
Operation
There are two steps to tunneling a PPP session with L2TP- 1) establishing a Control Connection for a Tunnel, and 2) establishing a Session as triggered by an incoming or outgoing call request. The Tunnel and the corresponding Control Connection must be established before an incoming or outgoing call can be established. Multiple session can exist within a single Tunnel. Also, multiple tunnels can exist between a LAC and an LNS.
1. Control Connection Establishment
It is the initial connection that must be established between a LAC and an LNS before sessions can be brought up. Establishment involves securing the identity of the peer and other peer capabilities, etc. Three types of messages are exchanged between peers to setup a Control Connection.
The first message sent is SCCRQ Start Control Connection Request. It contains various AVPs (Attribute-Value Pairs) like Message Type, Protocol version, Hostname, Assigned Tunnel ID, CHAP Challenge (optional), etc. This message can be sent by either LAC or LNS.
The second message is SCCRP Start Control Connection Reply. It is sent in response to SCCRQ. It is used to indicate that SCCRQ was accepted and establishment of tunnel can continue. It contains AVPs like Message Type, Protocol version, Hostname, Assigned Tunnel ID, CHAP Challenge Response (optional), etc.
The third message is SCCCN Start Control Connection Connected. SCCCN is sent in response to SCCRP to indicate the tunnel establishment process is complete. It contains AVPs like Message Type and Challenge Response (optional).
A ZLB (Zero Length Bit) message is sent to indicate no further messages waiting in queue for the peer.
2. Session Establishment
After Control Connection is successfully established, individual sessions can be created. Three types of messages are exchanged between LAC and LNS when a call is detected by the LAC.
The first message sent by the LAC to LNS is ICRQ Incoming Call Request. The LAC may choose to a) defer the call until an ICRP message is received from the LNS, or b) negotiate LCP and PPP authentication and use the information to choose an LNS. It contains AVPs like Message Type, Assigned Session ID, etc.
The second message sent by the LNS to the LAC is ICRP Incoming Call Reply. ICRP is used to indicate that the ICRQ was successful. It also allows for the LNS to indicate necessary parameters for the L2TP session. It contains AVPs like Message Type and Assigned Session ID.
The third message sent by the LAC to the LNS is ICCN Incoming Call Connected. It is used to indicate that the ICRP was accepted, the call has been answered and the L2TP Session should move to Established state.
Again, a ZLB (Zero Length Bit) ACK message is sent to indicate no further messages waiting in queue for the peer.
Forwarding PPP Frames
Once L2TP tunnel establishment is complete, PPP frames from the Client are received at the LAC, stripped of CRC, link-framing and transparency bytes, encapsulated in L2TP, and forwarded over the appropriate tunnel. The LNS receives the L2TP packets, and processes the encapsulated PPP frames as if they were received on the local PPP interface. The peers put their assigned Tunnel ID and Session ID for all outgoing messages. Hence, the PPP frames are sent over a single tunnel between a given LAC-LNS pair.
L2TP Testbed
In this setup, any request with domain name amit.com.au as part of username will be tunneled to LNS via L2TP by LACs. Other requests with different domain name in username will be terminated on the LAC.
LAC Configuration
First step is to configure AAA access control system and to define PPP access. A TACACS+/ RADIUS server can be used with AAA. Here, local authentication is used.
aaa new-modelaaa authentication ppp default localNext step is to enable VPDN and define a VPDN group to which all VPDN attributes will be applied. Then enable LAC to request a dial in tunnel to an IP address if the dial in Client belongs to specific domain.
VPDN Configuration on LAC_1
vpdn enablevpdn group 1 request-dialin protocol l2tp domain amit.com.au ! This VPDN group is created to tunnel requests for domain-name amit.com.au initiate-to ip 10.45.1.2 ! IP address of LNS, tunnel end-point on LNS source-ip 10.1.1.1 ! IP address to be used as a source for L2TP packets, tunnel endpoint on LAC local name LAC_1 ! hostname to be used for tunnel authentication l2tp tunnel password 0 cisco ! L2TP tunnel password LAC should also be able to accept PPPoE requests from Clients.
bba-group pppoe global virtual-template 1!interface Loopback 0 ip address 1.1.1.1 255.255.255.255!interface FastEthernet0/0 no ip address pppoe enable group global!interface Virtual-Template1 ip unnumbered Loopback 0 ppp authentication chap callin peer default ip address pool MY_POOL ! For locally terminating PPPoE sessions from "Client"!ip local pool MY_POOL 10.10.1.10 10.10.1.20!username Client password 0 ciscoLNS Configuration
The AAA access control system must be configured on LNS too for PPP authentication.
aaa new-modelaaa authentication ppp default localVPDN must also be enabled on LNS to accept requests from LACs.
interface Loopback 0 ip address 3.3.3.3 255.255.255.255!vpdn enablevpdn-group 1 accept-dialin protocol l2tp virtual-template 1 ! Use Virtual_template 1 for attributes terminate-from hostname LAC_1 ! Terminate session from LAC_1 on this LNS source-ip 10.1.1.1 local name LNS l2tp tunnel password 0 cisco!vpdn-group 2 accept-dialin protocol l2tp virtual-template 2 terminate-from hostname LAC_2 ! Terminate session from LAC_2 on this LNS source-ip 10.2.2.1 local name LNS l2tp tunnel password 0 cisco!interface Virtual-Template1 ip unnumbered Loopback 0 peer default ip address pool POOL1 ppp authentication chap callin!interface Virtual_Template2 ip unnumbered Loopback 0 peer default ip address pool POOL2 ppp authentication chap callin!ip local pool POOL1 10.100.1.10 10.100.1.20ip local pool POOL2 10.100.2.10 10.100.2.20!username user@amit.com.au password 0 cisco ! Client's CHAP credentialsPPPoE Configuration on Client
interface FastEthernet0/0 no ip address pppoe enable group global pppoe-client dial-pool-number 1!interface Dialer1 ip address negotiated ip mtu 1492 encapsulation ppp dialer pool 1 ppp authentication chap callin ppp chap hostname user@amit.com.au ppp chap password 0 cisco!ip route 0.0.0.0 0.0.0.0 Dialer1Verification
The Client initiates a PPPoE session using a username user@amit.com.au, the LAC accepts the session and initiates an L2TP session with the LNS.
"debug ppp negotiation" on Client
Client#*Mar 1 00:38:20.191: %DIALER-6-BIND: Interface Vi2 bound to profile Di1*Mar 1 00:38:20.195: Vi2 PPP: Phase is DOWN, Setup*Mar 1 00:38:20.199: Vi2 PPP: Using dialer call direction*Mar 1 00:38:20.199: Vi2 PPP: Treating connection as a callout*Mar 1 00:38:20.199: Vi2 PPP: Session handle[5B0000B9] Session id[0]*Mar 1 00:38:20.199: Vi2 PPP: Phase is ESTABLISHING, Active Open!--- The LAC partially authenticates the Client and establishes PPP LCP session*Mar 1 00:38:20.203: Vi2 PPP: No remote authentication for call-out*Mar 1 00:38:20.203: Vi2 LCP: O CONFREQ [Closed] id 1 len 10*Mar 1 00:38:20.203: Vi2 LCP: MagicNumber 0x002E4D82 (0x0506002E4D82)*Mar 1 00:38:20.211: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up*Mar 1 00:38:20.323: Vi2 LCP: I CONFREQ [REQsent] id 1 len 19*Mar 1 00:38:20.323: Vi2 LCP: MRU 1492 (0x010405D4)*Mar 1 00:38:20.323: Vi2 LCP: AuthProto CHAP (0x0305C22305)*Mar 1 00:38:20.327: Vi2 LCP: MagicNumber 0x02283530 (0x050602283530)*Mar 1 00:38:20.327: Vi2 LCP: O CONFNAK [REQsent] id 1 len 8*Mar 1 00:38:20.327: Vi2 LCP: MRU 1500 (0x010405DC)*Mar 1 00:38:20.339: Vi2 LCP: I CONFACK [REQsent] id 1 len 10*Mar 1 00:38:20.339: Vi2 LCP: MagicNumber 0x002E4D82 (0x0506002E4D82)*Mar 1 00:38:20.339: Vi2 LCP: I CONFREQ [ACKrcvd] id 2 len 19*Mar 1 00:38:20.343: Vi2 LCP: MRU 1500 (0x010405DC)*Mar 1 00:38:20.343: Vi2 LCP: AuthProto CHAP (0x0305C22305)*Mar 1 00:38:20.343: Vi2 LCP: MagicNumber 0x02283530 (0x050602283530)*Mar 1 00:38:20.347: Vi2 LCP: O CONFACK [ACKrcvd] id 2 len 19*Mar 1 00:38:20.347: Vi2 LCP: MRU 1500 (0x010405DC)*Mar 1 00:38:20.347: Vi2 LCP: AuthProto CHAP (0x0305C22305)*Mar 1 00:38:20.347: Vi2 LCP: MagicNumber 0x02283530 (0x050602283530)*Mar 1 00:38:20.347: Vi2 LCP: State is Open!--- The LAC is requesting CHAP authentication with the Client*Mar 1 00:38:20.351: Vi2 PPP: Phase is AUTHENTICATING, by the peer*Mar 1 00:38:20.399: Vi2 CHAP: I CHALLENGE id 1 len 26 from "LAC_2"*Mar 1 00:38:20.407: Vi2 CHAP: Using hostname from interface CHAP*Mar 1 00:38:20.407: Vi2 CHAP: Using password from interface CHAP*Mar 1 00:38:20.407: Vi2 CHAP: O RESPONSE id 1 len 37 from "user@amit.com.au"*Mar 1 00:38:22.131: Vi2 CHAP: I SUCCESS id 1 len 4*Mar 1 00:38:22.131: Vi2 PPP: Phase is FORWARDING, Attempting Forward*Mar 1 00:38:22.135: Vi2 PPP: Queue IPCP code[1] id[1]!--- At this stage, the LAC initiates the L2TP session with the LNS and forwards the information to the LNS*Mar 1 00:38:22.291: Vi2 PPP SSS: Receive SSS-Mgr Connect-Local*Mar 1 00:38:22.299: Vi2 PPP: Phase is ESTABLISHING, Finish LCP*Mar 1 00:38:22.303: Vi2 PPP: Phase is UP*Mar 1 00:38:22.303: Vi2 IPCP: O CONFREQ [Closed] id 1 len 10*Mar 1 00:38:22.303: Vi2 IPCP: Address 0.0.0.0 (0x030600000000)*Mar 1 00:38:22.307: Vi2 CDPCP: O CONFREQ [Closed] id 1 len 4*Mar 1 00:38:22.307: Vi2 PPP: Process pending ncp packets*Mar 1 00:38:22.307: Vi2 IPCP: Redirect packet to Vi2*Mar 1 00:38:22.307: Vi2 IPCP: I CONFREQ [REQsent] id 1 len 10*Mar 1 00:38:22.311: Vi2 IPCP: Address 3.3.3.3 (0x030603030303)*Mar 1 00:38:22.311: Vi2 IPCP: O CONFACK [REQsent] id 1 len 10*Mar 1 00:38:22.311: Vi2 IPCP: Address 3.3.3.3 (0x030603030303)*Mar 1 00:38:22.563: Vi2 IPCP: I CONFNAK [ACKsent] id 1 len 10*Mar 1 00:38:22.563: Vi2 IPCP: Address 10.100.2.10 (0x03060A64020A)*Mar 1 00:38:22.563: Vi2 IPCP: O CONFREQ [ACKsent] id 2 len 10*Mar 1 00:38:22.563: Vi2 IPCP: Address 10.100.2.10 (0x03060A64020A)*Mar 1 00:38:22.563: Vi2 LCP: I PROTREJ [Open] id 1 len 10 protocol CDPCP (0x820701010004)*Mar 1 00:38:22.563: Vi2 CDPCP: State is Closed*Mar 1 00:38:22.563: Vi2 CDPCP: State is Listen*Mar 1 00:38:22.799: Vi2 IPCP: I CONFACK [ACKsent] id 2 len 10*Mar 1 00:38:22.799: Vi2 IPCP: Address 10.100.2.10 (0x03060A64020A)*Mar 1 00:38:22.799: Vi2 IPCP: State is Open*Mar 1 00:38:22.803: Di1 IPCP: Install negotiated IP interface address 10.100.2.10*Mar 1 00:38:22.823: Di1 IPCP: Install route to 3.3.3.3*Mar 1 00:38:22.839: Vi2 IPCP: Add link info for cef entry 3.3.3.3*Mar 1 00:38:23.299: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to upThe debug l2tp event command shows the events occurred during L2TP session creation.
debug l2tp event
LNS#*Mar 1 00:02:15.743: L2X tnl 01000:________: Create logical tunnel*Mar 1 00:02:15.747: L2TP tnl 01000:________: Create tunnel*Mar 1 00:02:15.747: L2TP tnl 01000:________: version set to V2*Mar 1 00:02:15.751: L2TP tnl 01000:________: remote ip set to 10.2.2.1*Mar 1 00:02:15.755: L2TP tnl 01000:________: local ip set to 10.45.1.2*Mar 1 00:02:15.767: L2TP tnl 01000:000005E8: FSM-CC ev Rx-SCCRQ*Mar 1 00:02:15.767: L2TP tnl 01000:000005E8: FSM-CC Idle->Proc-SCCRQ*Mar 1 00:02:15.771: L2TP tnl 01000:000005E8: FSM-CC do Rx-SCCRQ*Mar 1 00:02:15.787: L2X _____:________: Tunnel author started for LAC_2*Mar 1 00:02:15.787: L2X _____:________: Tunnel author found*Mar 1 00:02:15.787: L2TP tnl 01000:000005E8: Author reply, data source: "2"*Mar 1 00:02:15.787: L2X _____:________: class [l2tp_default_class]*Mar 1 00:02:15.787: L2X _____:________: created*Mar 1 00:02:15.787: L2X _____:________: class [l2tp_default_class]*Mar 1 00:02:15.787: L2X _____:________: Internal locked 0->1*Mar 1 00:02:15.787: L2X _____:________: class [AAA author, group "2"]*Mar 1 00:02:15.787: L2X _____:________: created*Mar 1 00:02:15.787: L2X _____:________: class [AAA author, group "2"]*Mar 1 00:02:15.787: L2X _____:________: App locked 0->1*Mar 1 00:02:15.787: L2X _____:________: class [AAA author, group "2"]*Mar 1 00:02:15.787: L2X _____:________: Protocol locked 0->1*Mar 1 00:02:15.787: L2TP tnl 01000:000005E8: class name AAA author, group "2"*Mar 1 00:02:15.787: L2X _____:________: class [AAA author, group "2"]*Mar 1 00:02:15.787: L2X _____:________: App unlocked 1->0*Mar 1 00:02:15.787: L2TP tnl 01000:000005E8: FSM-CC ev SCCRQ-OK*Mar 1 00:02:15.787: L2TP tnl 01000:000005E8: FSM-CC Proc-SCCRQ->Wt-SCCCN*Mar 1 00:02:15.787: L2TP tnl 01000:000005E8: FSM-CC do Tx-SCCRP*Mar 1 00:02:15.791: L2TP tnl 01000:000005E8: Open sock 10.45.1.2:1701->10.2.2.1:1701*Mar 1 00:02:15.795: L2TP tnl 01000:000005E8: FSM-CC ev Sock-Ready*Mar 1 00:02:15.795: L2TP tnl 01000:000005E8: FSM-CC in Wt-SCCCN*Mar 1 00:02:15.799: L2TP tnl 01000:000005E8: FSM-CC do Ignore-Sock-Up*Mar 1 00:02:15.931: L2TP tnl 01000:000005E8: FSM-CC ev Rx-SCCCN*Mar 1 00:02:15.935: L2TP tnl 01000:000005E8: FSM-CC Wt-SCCCN->Proc-SCCCN*Mar 1 00:02:15.935: L2TP tnl 01000:000005E8: FSM-CC do Rx-SCCCN*Mar 1 00:02:15.939: L2TP tnl 01000:000005E8: Tunnel Authentication success*Mar 1 00:02:15.947: L2TP tnl 01000:000005E8: FSM-CC ev SCCCN-OK*Mar 1 00:02:15.947: L2TP tnl 01000:000005E8: FSM-CC Proc-SCCCN->established*Mar 1 00:02:15.951: L2TP tnl 01000:000005E8: FSM-CC do Established*Mar 1 00:02:15.955: L2TP tnl 01000:000005E8: Control channel up*Mar 1 00:02:15.959: L2TP tnl 01000:000005E8: 10.45.1.2<->10.2.2.1*Mar 1 00:02:15.971: L2X _____:_____:________: Create logical session*Mar 1 00:02:15.971: L2TP _____:_____:________: Create session*Mar 1 00:02:15.971: L2TP _____:_____:________: Using ICRQ FSM*Mar 1 00:02:15.971: L2TP _____:_____:________: remote ip set to 10.2.2.1*Mar 1 00:02:15.971: L2TP _____:_____:________: local ip set to 10.45.1.2*Mar 1 00:02:15.971: L2TP tnl 01000:000005E8: FSM-CC ev Session-Conn*Mar 1 00:02:15.971: L2TP tnl 01000:000005E8: FSM-CC in established*Mar 1 00:02:15.971: L2TP tnl 01000:000005E8: FSM-CC do Session-Conn-Est*Mar 1 00:02:15.971: L2TP tnl 01000:000005E8: Session count now 1*Mar 1 00:02:15.971: L2TP _____:01000:00000002: FSM-Sn ev CC-Up*Mar 1 00:02:15.971: L2TP _____:01000:00000002: FSM-Sn in Idle*Mar 1 00:02:15.971: L2TP _____:01000:00000002: FSM-Sn do CC-Up-Ignore0-1*Mar 1 00:02:15.971: L2TP _____:01000:00000002: Session attached*Mar 1 00:02:15.971: L2TP _____:01000:00000002: no cookies enabled*Mar 1 00:02:15.971: L2TP _____:01000:00000002: FSM-Sn ev Rx-ICRQ*Mar 1 00:02:15.971: L2TP _____:01000:00000002: FSM-Sn Idle->Proc-ICRQ*Mar 1 00:02:15.971: L2TP _____:01000:00000002: FSM-Sn do Rx-ICRQ*Mar 1 00:02:15.971: L2TP _____:01000:00000002: Chose application VPDN*Mar 1 00:02:15.971: L2TP _____:01000:00000002: App type set to VPDN*Mar 1 00:02:15.971: L2TP tnl 01000:000005E8: VPDN Session count now 1*Mar 1 00:02:15.971: L2TP _____:01000:00000002: VPDN: process AVPs*Mar 1 00:02:15.971: L2TP _____:01000:00000002: Local AC is now UP*Mar 1 00:02:15.971: L2TP _____:01000:00000002: Remote AC is now UP*Mar 1 00:02:15.971: L2TP _____:01000:00000002:*Mar 1 00:02:16.007: L2TP _____:01000:00000002: App type set to VPDN*Mar 1 00:02:16.011: L2TP _____:01000:00000002: Session classname VPDN group 2 ip addr 0.0.0.0*Mar 1 00:02:16.015: L2TP _____:01000:00000002: UDP checksum ignore is enabled*Mar 1 00:02:16.015: L2TP _____:01000:00000002: Framing set to sync*Mar 1 00:02:16.019: L2TP _____:01000:00000002: Bearer set to none*Mar 1 00:02:16.019: L2TP _____:01000:00000002: group set to "VPDN group 2 ip addr 0.0.0.0"*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn ev ICRQ-OK*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn Proc-ICRQ->Wt-Tx-ICRP*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn do Tx-ICRP-Local-Check*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn ev Local-Cont*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn Wt-Tx-ICRP->Wt-Rx-ICCN*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn do Tx-ICRP*Mar 1 00:02:16.019: L2TP _____:01000:00000002: Open sock 10.45.1.2:1701->10.2.2.1:1701*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn ev Sock-Ready*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn in Wt-Rx-ICCN*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn do Ignore-Sock-Up*Mar 1 00:02:16.019: L2TP _____:01000:00000002:*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn ev DP-Setup*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn in Wt-Rx-ICCN*Mar 1 00:02:16.019: L2TP _____:01000:00000002: FSM-Sn do Ignore-DP-Setup*Mar 1 00:02:16.191: L2TP _____:01000:00000002: FSM-Sn ev Rx-ICCN*Mar 1 00:02:16.195: L2TP _____:01000:00000002: FSM-Sn Wt-Rx-ICCN->Proc-ICCN*Mar 1 00:02:16.199: L2TP _____:01000:00000002: FSM-Sn do Rx-ICCN*Mar 1 00:02:16.203: L2TP _____:01000:00000002: MTU is 65535*Mar 1 00:02:16.207: L2TP _____:01000:00000002: Session data plane UP*Mar 1 00:02:16.211: L2TP _____:01000:00000002: VPDN: process AVPs*Mar 1 00:02:16.215: L2TP _____:01000:00000002:*Mar 1 00:02:16.219: L2TP _____:01000:00000002: FSM-Sn ev ICCN-OK*Mar 1 00:02:16.223: L2TP _____:01000:00000002: FSM-Sn Proc-ICCN->established*Mar 1 00:02:16.223: L2TP _____:01000:00000002: FSM-Sn do Established*Mar 1 00:02:16.223: L2TP _____:01000:00000002: Session up*Mar 1 00:02:16.223: L2TP _____:01000:00000002: 10.45.1.2<->10.2.2.1*Mar 1 00:02:16.343: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up*Mar 1 00:02:16.363: L2TP _____:01000:00000002:*Mar 1 00:02:16.367: L2TP 00001:01000:00000002: FSM-Sn ev DP-Setup*Mar 1 00:02:16.371: L2TP 00001:01000:00000002: FSM-Sn in established*Mar 1 00:02:16.371: L2TP 00001:01000:00000002: FSM-Sn do DP-Set*Mar 1 00:02:16.395: L2TP 00001:01000:00000002:*Mar 1 00:02:17.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to upThe following output shows the L2TP session of LAC_2 with the LNS and PPPoE session of the Client forwarded to the LNS.
!--- It shows a PPPoE session "Forwarded" to the LNSLAC_2# show pppoe session 1 session in FORWARDED (FWDED) State 1 session totalUniq ID PPPoE RemMAC Port VT VA State SID LocMAC VA-st 30 30 c400.0b34.0000 Fa0/0 1 N/A FWDED c402.0b34.0000!--- It shows the L2TP session with the LNSLAC_2# show vpdn sessionL2TP Session Information Total tunnels 1 sessions 1LocID RemID TunID Username, Intf/ State Last Chg Uniq ID Vcid, Circuit27 5 47912 user@amit.com, Fa0/0 est 00:00:33 30The following output shows the route installed on the Client.
Client# show ip route | begin GatewayGateway of last resort is 0.0.0.0 to network 0.0.0.0 3.0.0.0/32 is subnetted, 1 subnetsC 3.3.3.3 is directly connected, Dialer1 10.0.0.0/32 is subnetted, 1 subnetsC 10.100.2.10 is directly connected, Dialer1S* 0.0.0.0/0 is directly connected, Dialer1Page updated
Google Sites
Report abuse